Networking Fundamentals · intermediate · ~12 min

Reading packet captures with Wireshark

Open a capture, follow a stream, and read the layered headers of a packet.

Overview

A pcap records traffic; Wireshark/tcpdump read it. Each packet shows the layered headers (Ethernet → IP → TCP → HTTP). Core skills: display filters, follow stream, spotting the handshake and flags.

Why it matters

Captures are ground truth: they confirm what a scan or exploit actually did on the wire, reveal cleartext credentials, and teach protocol behaviour. Reading them is a daily skill in both offence and defence.

Core concepts

Layered view. Each packet decodes link/internet/transport/application headers. Display filters. tcp.port==80, ip.addr==x, http, dns. Follow stream. Reassemble a conversation. Flags. SYN/ACK/FIN/RST signal connection state. Legality. Capture only what you're authorised to.

Lesson

A packet capture (pcap) is a recording of network traffic. Wireshark (GUI) and tcpdump (CLI) read and write them. Reading captures is how you verify what's actually on the wire.

Anatomy of a captured packet

Wireshark shows the layers you learned, top to bottom:

Frame 12: 74 bytes
Ethernet II   src/dst MAC          ← link
Internet Protocol  src/dst IP      ← internet
Transmission Control Protocol  src/dst port, flags, seq  ← transport
Hypertext Transfer Protocol  GET / ...    ← application

Click a layer to highlight its bytes — encapsulation made visible.

Skills that matter

Display filters: tcp.port == 80, ip.addr == 10.0.0.5, http, dns.
Follow stream: reassemble a whole TCP conversation into readable text.
Spot the handshake: SYN, SYN-ACK, ACK at the start of a TCP flow.
Read flags: SYN, ACK, FIN, RST tell you the connection's state.

Legal note

Only capture traffic you're authorised to — your own host, a lab, or a network you have written permission to test. Capturing others' traffic is wiretapping. Every lab in this course uses loopback or static fixtures.

In this course

You won't run a live sniffer here (that needs privileges and a real NIC), but the matching C exercises have you parse the same headers — IPv4, TCP flags, ARP frames — from fixed byte buffers, which is exactly what Wireshark does internally.

Summary

Packet captures show the layered reality of traffic; Wireshark filters and stream-following turn raw bytes into understanding. The header-parsing C exercises in this course mirror exactly what a capture tool does internally — within strict legal, lab-only bounds.